All Questions
6
questions
0
votes
0
answers
93
views
Bash deletes null bytes in exploit input for ROP/returntolibc
I am trying to do a returntolibc exploit. The goal is to gain a shell with root privilege by calling setuid(0) and then system("/bin/sh"). I have been agonizing over trying to get this thing ...
0
votes
0
answers
94
views
Trying to ret2text on 64bit program issues, can't jump to shell
Here is the elf summary of the program:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
This is the ...
1
vote
2
answers
604
views
How do attackers determine ROP gadgets remotely?
Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to ...
-1
votes
1
answer
251
views
is it possible to call libc function with rop
let say hacker want to come over the aslr or he want to call function that doesn't exists in user program ,can he insert to the return address address to the share library function or this functions ...
4
votes
1
answer
2k
views
Where in a binary can '/bin/sh' be written to get a shell?
I've come across some behaviour in a CTF challenge that seems very strange and I was wondering if someone could help me understand it.
The CTF challenge was the can-you-gets-me challenge in ...
3
votes
2
answers
3k
views
Stack location range on linux for user process
In Linux, with ASLR enabled, is there a range of addresses where user stack address lies? What about heap, instruction addresses(text section)? In general, is it possible to look at an address and ...